Hi, I'm trying to split a large PCAP by limiting each output file to 5 million packets using the EditCap CLI. I use command "editcap -c 5000000 inputFilePath outputFilePath" and some sort of split occurs. But when I tshark the resulting files, they each seem to start at index 1 in the first column, and at time 0 in the 2nd column. Is there a way to maintain the original values for either of these first two columns? Need the time to be maintained at least constant from the original file.
asked 16 Oct '17, 18:37
The index is the index into that particular file, so no, that will always start at 1.
The time is the time from the previous packet in that particular file, so no, that will always start at 0
As you remark that the 'time to be maintained at least constant from the original file' I assume you mean that you want to keep the original wall clock timestamps. That in fact is happening, you would have to select the timestamp output to print the wall clock time instead of time since previous packet.
answered 16 Oct '17, 23:16
Thanks. I'm checking out https://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html regarding timestamp formats. Do you know if the format can be selected after i already have the original pcap file, or is the formatting some setting that needs to be specified prior to capturing the packets? Will accept answer when get these specifics figured out
The time format sets how timestamps are displayed, it does NOT affect the timestamps in the file.
Just add another column for Absolute Time: Edit -> Preferences -> Columns -> + -> Absolute date, as YYYY-MM-DD, and time Rename the column and drag it to whatever location in the list you like. You can have multiple time format columns.
Ok thanks, so I'll check into splitting the file, then rendering the times in Absolute format via https://ask.wireshark.org/questions/30393/tshark-how-to-output-date-in-iso-format . Cannot really use the WS UI for this purpose since I need to automate this.